IETF Logo Mail Archive

Re: Policy URL -> Policy URI

Rick van Rein <rick@openfortress.nl> Tue, 08 February 2005 09:41 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA19879 for <openpgp-archive@lists.ietf.org>; Tue, 8 Feb 2005 04:41:05 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j189ONox011492; Tue, 8 Feb 2005 01:24:23 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j189ONIY011491; Tue, 8 Feb 2005 01:24:23 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtp17.wxs.nl (smtp17.wxs.nl [195.121.6.13]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j189OMSX011411 for <ietf-openpgp@imc.org>; Tue, 8 Feb 2005 01:24:22 -0800 (PST) (envelope-from rick@openfortress.nl)
Received: from phantom.vanrein.org (ip545163dc.direct-adsl.nl [84.81.99.220]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IBL004K364A83@smtp17.wxs.nl> for ietf-openpgp@imc.org; Tue, 08 Feb 2005 10:24:10 +0100 (CET)
Received: by phantom.vanrein.org (Postfix, from userid 502) id 4284D2A64A; Tue, 08 Feb 2005 10:24:10 +0100 (CET)
Date: Tue, 08 Feb 2005 10:24:10 +0100
From: Rick van Rein <rick@openfortress.nl>
Subject: Re: Policy URL -> Policy URI
In-reply-to: <3c14e78650fa58b06576b2e617409837@callas.org>
To: Jon Callas <jon@callas.org>
Cc: Rick van Rein <rick@openfortress.nl>, ietf-openpgp@imc.org
Message-id: <20050208092410.GC33720@phantom.vanrein.org>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
User-Agent: Mutt/1.4.2.1i
X-My-Coolest-Hack: http://rick.vanrein.org/linux/badram -> Exploit broken RAM
References: <20050207105021.GA17950@phantom.vanrein.org> <3c14e78650fa58b06576b2e617409837@callas.org>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Jon, others,

> Okay, I see what you're saying, but is it necessary?

I think it is.

1. I think PGP is providing too little certainty about the meaning of a
   signature with its current four-grade signing setup.  At least, it is
   not suitable for commercial use, which would be great to support.  A
   suitable policy mechanism can help in that case.

2. It is not smart to fall behind on other signing flexibility; PGP already
   lacks the appeal to decision-makers that PKIX and even XML Signing have;
   any URN-based policy initiative could therefore easily forget to
   incorporate PGP and render it useless for that kind of application.

3. There are always work-arounds.  For example, the kind of schemes
   suggested under 2. could declare a website to do the translation from
   URN to URL for the sake of PGP.  Aside from that being awkward, it would
   be a challenge to the longevity of the spec and may for that reason be
   left out.  We don't want that to happen.

> A long time ago, the keyserver URL said URI and we changed it for 
> reasons that I can't remember.  I think it's because we didn't think it 
> was necessary, that if it happened to be a URI, the worst that could 
> happen would be that someone wouldn't understand it, but that's always 
> a risk.

Indeed, the *keyserver* should not be referenced by name -- if you cannot
determine the location of a server what is it going to be good for?

For policies, I think we have a whole different matter at hand --
references to books, an ISSN-series of widely acknowledged signing policies
and ASN.1 OIDs are all good ways to point at a policy.  Moreover, they are
supportive of Internet-wide schemes, which is rarely the case if a URL is
used.

Imagine that I would start pushing PGP-signers to follow
	http://openfortress.nl/doc/some-policy.pdf
How would that make you feel?  It would mean some company set it up.  A
company with full control over the URL.  Other companies are going to be
too proud or too smart to use the same signing policy *location*.  Even if
they literally copy the content, the average signature validator would not
notice because the strings differ.  In short, URLs are bad for
interoperable policies.

A URN-scheme on the other hand, can serve quite well for Internet-wide,
non-proprietary published policies.  It can enforce the secure hash of a
document, which can only be weakly suggested in a URL.  That would take
care of the pride issue.  Furthermore, URNs can support rewriting to
equivalent forms, which would be helpful for supportive software to find
more matches than a simple string match can be.

> If you happened to put in the policy URL an ISBN number, wouldn't it be 
> obvious what it meant? Wouldn't it work just fine?

There are always work-arounds, but why invite them?  There are no
disadvantages to changing to a Policy URI.

> I don't mind changing it, but is this just a difference without 
> distinction?

The change is vital in my opinion.


Thanks,
 -Rick

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: To understand digital signatures visit http://openfortress.nl

iD8DBQFCCIUsFBGpwol1RgYRAm41AJ4p8RN6BJ88+BW+gI7vkbodv6BH7ACeP2Wq
GL8TuglRzRNGvW2/PyeDH2Y=
=axg7
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email